logo image

Sec + Chapter 12

Social engineering
Phishing, shoulder surfing, dumpster diving
Capturing
Keylogger, protocol analyzer, Man-in-the-middle and replay attacks
Resetting
Attacker gains physical access to computer and resets password
Offline cracking
-Method used by most password attacks today
-One-way hash algorithm creates a unique digital fingerprint digest when password first created
-When user logs in digest is created from entered password and compared to stored digest
-With offline cracking attackers steal password digests, load file onto own computers, and attempt to discover passwords by comparing stolen digests with their own created digests (candidates)
brute force attack
Every possible combination of letters, numbers, and characters is used to create candidate digests then matched against those in stolen digest file
Dictionary attack
Attacker creating digests of common dictionary words as candidates
Pre-image attack
Dictionary attack that uses set of dictionary words and compares it with stolen digests when one known digest (dictionary word) compared to an unknown digest (stolen digest)
Birthday attack
Search is for any two digests that are identical
Hybrid attack
-Variation of dictionary attack

-Combines dictionary attack with brute force attack

-Slightly alter dictionary words by:
-Adding numbers to the end of the password
-Spelling words backward
-Slightly misspelling words
-Including special characters (@,$,!, or %)

Rainbow tables
-Creating a large pregenerated data set of candidate digests

-Generating a rainbow table requires a significant amount of time

-Once created has significant advantages:
-Can be used repeatedly for attacks on other passwords
-Rainbow tables are much faster than dictionary attacks
-Amount of memory needed on attacking machine is greatly reduced

LM (LAN manager) hash
Instead of encrypting password with another key, password itself is key
LM hash considered very weak function
NTLM (New Technology LAN Manager) hash
-More secure password hash algorithm
-Currently NTLMv2
Key stretching
-Two popular key stretching password hash algorithms are bcrypt and PBKDF2
-Specialized password hash algorithms intentionally designed be slower to limit ability of attacker to crack passwords because requires significantly more time to create each candidate digest
salt
-random string used in password hash algorithms
Time-based one-time password (TOTP)
-User enters her username along with code currently being displayed on token

-Changes after set time period

-Token and corresponding authentication server share an (each user’s token has a different algorithm)

-The token generates code from algorithm once every 30 to 60 seconds and valid for only brief period of time

HMAC-based one-time password (HOTP)
-Password is “event-driven” and changes when specific event occurs
-Example: when user enters personal identification number (PIN) on token’s keypad triggers token to create random code
Token Advantages
Tokens produce dynamic passwords that change frequently
Smart card
Contains INTEGRATED CIRCUIT CHIP that can hold information to be used as part of authentication process
Common access card (CAC)
U.S. Department of Defense (DoD) smart card used for identification of ACTIVE-DUTY AND RESERVE MILITARY PERSONNEL along with civilian employees and special contractors
Personal Identity Verification (PIV)
Smart card standard COVERING ALL U.S. GOVERNMENT EMPLOYEES.
Standard Biometrics
-Uses person’s unique physical characteristics for authentication
-Fingerprint scanners most common type
-Face, hand, or eye characteristics also used
-Biometrics commonly used in physical security: access to secure area restricted to only those who fingerprint or retina is scanned
Cognitive biometrics
-Related to perception, thought process, and understanding of user

-Considered to be much easier for user to remember and more difficult for attacker to imitate

Behavioral biometrics
-Authentication based on actions that user is uniquely qualified to perform

Keystroke dynamics
Voice recognition

Geolocation
-Identification of the location of person or object using technology

-Geolocation may not uniquely identify user but can indicate if attacker trying to perform malicious action at location different from normal location
-If computer in China attempts to access user’s bank’s website this may be an indication that an attacker

Identity management
Single authentication credential shared across multiple networks
Federated identity management (FIM)
When networks are owned by different organizations
Single sign-on (SSO)
One application of FIM using one authentication credential to access multiple accounts or applications
Open ID
-Decentralized open source FIM
-Does not require specific software to be installed on the desktop

-URL-based identity system
-OpenID provides a means to prove a user owns the URL

Open Authorization (Oauth)
-Permits users to share resources stored on one site with second site without forwarding authentication credentials

-Allows seamless data sharing among sites

-Relies on token credentials
-are for specific resources on a site for limited time period
-Replaces need to transfer user’s username and password

Need essay sample on "Sec + Chapter 12"? We will write a custom essay sample specifically for you for only $ 13.90/page

Can’t wait to take that assignment burden offyour shoulders?

Let us know what it is and we will show you how it can be done!
×
Sorry, but copying text is forbidden on this website. If you need this or any other sample, please register

Already on Businessays? Login here

No, thanks. I prefer suffering on my own
Sorry, but copying text is forbidden on this website. If you need this or any other sample register now and get a free access to all papers, carefully proofread and edited by our experts.
Sign in / Sign up
No, thanks. I prefer suffering on my own
Not quite the topic you need?
We would be happy to write it
Join and witness the magic
Service Open At All Times
|
Complete Buyer Protection
|
Plagiarism-Free Writing

Emily from Businessays

Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/chNgQy